No matter how hard we try, it's simply not possible to use technology to enforce all of our policies. We can use technology to force users to change their passwords every six weeks, or to ensure that they pick reasonably secure passwords, but there's no technology that prevents users from sharing passwords with one another, or from unwittingly (or deliberately) strolling out of the office with a printout of our customer list.
We therefore need a way to deal with this kind of issue. The first step to making things run as they should is to write down exactly how they should be run.
Rules of engagement
Just as our staff share the responsibility of maintaining a safe working environment, it is fair to expect them to play a part in assisting with the smooth and secure running of the computer systems. Because the majority of staff will generally be non-technical, we need to document, in simple terms, the rights and wrongs of using our computer systems. The terms in our "acceptable use policy", or whatever we wish to call it, should cover all aspects of user-created problem, including password sharing, the removal of confidential material, appropriate use of email (not least profanity and libel) and rules regarding the connection/disconnection of devices on the company network. It's essential to give yourself a sound basis upon which you can build with the training aspect of the policy.
Training is a step that some organisations omit from the policy implementation - they choose simply to write the rule book and then bollock people for not sticking to it. While this often has the desired effect with regard to stamping out misuse, it also leads to animosity and inefficiency. Although the users aren't doing things the wrong way, they're not necessarily doing them the right way (or at least the most efficient way) either. If you stop people doing something one way, and leave them to their own devices, in the average case they'll find another wrong way to do it.
You must therefore provide training, probably both in person-to-person sessions and on paper, that shows the users how they should be achieving their goals using the computer systems.
In some cases the rules will simply be "Thou shalt not do X", in which case you should at least explain why not; if someone understands why it's important, they will be more comfortable to abide by the rules. (Example: sending libellous or insulting e-mails - there's no correct way to send an insulting e-mail, you just need to stamp it out and be clear about why it's unacceptable).
In other cases the rules will apparently prevent someone from doing their job, in which case you have to show the users the correct way to proceed. (Example: sharing passwords. If they want to get at each other's document templates, point them toward the shared directory for their group, lead them through how to use it, and reassure them that if they get stuck, they just need to call and you'll arrange further training).
In many cases, the "wrong" approach that the users are taking, which is causing them to breach our rules, is not the easiest approach - it's just that they're not aware that there's an easier way to do it. Users (particularly non-technical ones) will normally follow the path of least resistance. With correct training, early on in their time with the company (so they don't get into any bad habits) you can easily mould them to regard the correct way of doing things as the normal way.
Once you've written the procedures and gone through them with the users, you must ensure that you provide adequate backup for them. This means responding to their requests correctly and trying to find the time, wherever possible, to help them do things right. If someone calls in a flap and you don't have the time, NEVER say things like "Oh, I'm busy now, just get Sharon to log in as herself to your PC as she has access to that file" because there's no turning back.
In many cases, you'll find that once the users are getting used to the correct way of working, they will come and ask for more, so you need to be ready to supply it. For instance, once a group is used to its shared directory, you'll find that other groups start phoning to ask for similar facilities. Obviously, you have to relate the requests to the structure of the company and ensure that you implement only the sensible ones. But again, it's important to (a) be there to provide the facilities in a timely manner if it's valid to do so; (b) train the staff on how to use them; and (c) explain why you can't do it if the request doesn't fit the corporate policy or, more likely, the budget.
To anyone who knows me, the last two sections will have sounded way too touchy-feely to have been written by me. In fact it's quite satisfying to implement systems that the users find easy to use correctly, and to see the look of realisation on the users' faces. After all, if the users are comfortable with how to do stuff, it reduces the support load and leaves the IT guys more time to do the interesting stuff like seeing how fast Quake runs on the new quad-Xeon server that arrived this morning.
On a more stern note, however, a properly implemented policy, plus an appropriate training and backup regime, is also an essential backstop for the (thankfully less rare) issues of misuse - namely those users who deliberately break the rules.
If a manager finds himself in an employment tribunal, sitting the other side of the table from a staff member he fired for misuse of computer resources, he needs to be certain of his position. If the ex-staffer can validly say: "I know it's an offence to use someone else's password but there was no other way I could get this sales quotation done, my director insisted it had to be done that day and the IT staff weren't answering the phone" then the company is likely to be writing a sizeable cheque for unfair dismissal.
If, on the other hand, the manager can easily demonstrate that there was no need to use someone else's password because there was a perfectly usable shared directory containing everything the person needed (and the person had been appropriately trained on its use two months previously; there were no requests in the support log from that user or his department relating to the use of that shared resources; and the user had been warned and re-trained for the same offence on a previous occasion) then the company is on much more solid ground.
Although often perceived by the masses as an obstacle to efficient business operation, the implementation of an appropriate policy regarding acceptable computer use can actually have quite the opposite effect. Not only this, but it can benefit both the company and the users, since both productivity and morale generally peak when everyone understands what's going on and is comfortable with how to do the job. The final, and more serious consequence of a properly implemented policy, though, is that it gives the organisation a decent, firm basis upon which it can build a reliable, solid disciplinary process ready for those occasions when the wheels do come off.